Mobile Security Still a Race Between Bad Guys and Good Guys

Pop quiz: Which statement is true? Mobile banking is becoming more secure. When it comes to mobile security, the crooks are gaining.

Actually, both choices could be the right answer, experts have said.

“My impression is we are all getting better at what we do,” said Scott Ksander, vice president of IT at the $733 million Purdue Federal Credit Union in West Lafayette, Ind. “Unfortunately, that goes for both the bad guys and the good guys.”

When it comes to protecting online transactions, are financial institutions becoming more proactive?

“Very much so. I think awareness is percolating through all ages,” Ksander said. “There are lot of educational programs in credit unions and communities. But the bad guys are getting smarter, too. This kind of theft is sadly still a profitable business opportunity with relatively low risk. It’s six times more profitable than armed robbery.”

Even though Ksander believes law enforcement officials are getting better at tackling mobile banking crime, he doesn’t think it’s time to stop worrying about it.

“I talk to people who ask, ‘Should I be afraid?’ No, but you should be aware and be cautious, just like our parents taught us not to walk down dark alleys. The problem is that in the cyber world, the dark alleys are a little harder to understand,” Ksander said.

Awareness is a big factor in combating mobile banking crime. With more people using the channel, many of them may not be very sophisticated about protecting their accounts.

“As a society we’ve made it look so easy,” Ksander said. “Students coming here to Purdue have had their cellphones since sixth grade. There’s kind of a middle generation problem here. The younger generation has had technology for so long, they have awareness. I think the older generation is more cautious by nature. The middle generation is really the prime target of the bad guys. That’s a pretty broad brush, but that’s kind of what we’re seeing.”

Identity is the key to the whole thing, he pointed out. The more the bad guys know about you, the easier it is to impersonate you and carry out a successful transaction. The object is not to just hit and run. The crook wants to wait until he can wipe out your entire retirement savings account. So, he watches and learns.Ksander said you don’t need to have the highest fence available. You simply need a fence that’s higher than what the next guy has built.

Still, downloading a mobile banking transaction may not be any more risky than downloading a family tree app, Ksander noted. He recalled the time he was making a presentation at a retirement community. During the presentation he received a vanity alert indicating his name had been found by Google in a story.

The alert revealed the Ksander family tree was available online. He discovered that if an identity thief wanted to know his mother’s maiden name – a common security confirmation question – there it was. A birth certificate was attached in jpg. Turns out, a fairly distant relative had used an app to create a family tree. The problem was the information would provide a crook with birthdates and other information that would be dandy for identity theft.

Neal O’Farrell, director of the Identity Theft Council, agreed the picture is mixed. Efforts by financial institutions to combat hackers have improved, but attempts by crooks have become more targeted and complicated.

“Financial institutions have realized it is a question of security first,” O’Farrell said. “Yes, security can be expensive, especially when a financial institution is struggling. “But security must come first or it will catch up with you.”

O’Farrell said there was a rush of mobile banking apps to market to capture market share. Now, people realize security is as much of a priority as convenience. For the consumers, O’Farrell said free malware detection, password monitors and keyloger protection are available.

As mobile devices have proliferated, IT departments have not kept up with needed controls, said Tom Schauer, CEO and chief client experience officer of TrustCC, an IT audit and security assessment firm.The big threat today is loss of a mobile-enabled device. If a cellphone or a tablet is swiped, confidential information may be compromised.Many credit unions operate on a “bring your own device” basis.

One employee, for example, may use an iPhone operating system while another prefers Android. TrustCC has researched mobile device management software and has discovered inexpensive tools. The firm offers several tips for credit unions offering employees a BYOD approach, including specifying what devices the credit union will support and instituting a stringent universal security policy.